Update from upstream: scoped policies, gnutls allowlisting, ...
implement scoped policies, e.g., cipher@SSH = ... implement algorithm globbing, e.g., cipher@SSH = -*-CBC deprecate derived properties: tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec deprecate unscoped form of protocol property openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes libssh: respect ssh_certs restrict FIPS:OSPP further improve Python 3.10 compatibility update documentation expand upstream test coverage FUTURE: disable CBC ciphers for all backends but krb5 openssl: LEGACY must have SECLEVEL=1, enabling SHA1 disable DHE-DSS in LEGACY bump LEGACY key size requirements from 1023 to 1024 add javasystem backend *ssh: condition ecdh-sha2-nistp384 on SECP384R1 set %verify(not mode) for backend sometimes-symlinks-sometimes-not gnutls: use allowlisting Resolves: bz1975854
This commit is contained in:
Alexander Sosedkin
parent
bd79a31b29
commit
7c076748f3
|
|
@ -1,12 +1,12 @@
|
|||
%global git_date 20210218
|
||||
%global git_commit 2246c55565af8c3bf09aa268eac55aa537678bb4
|
||||
%global git_date 20210628
|
||||
%global git_commit dd7d273d76b0739fcff5d95c39d7486bdb9b7410
|
||||
%{?git_commit:%global git_commit_hash %(c=%{git_commit}; echo ${c:0:7})}
|
||||
|
||||
%global _python_bytecompile_extra 0
|
||||
|
||||
Name: crypto-policies
|
||||
Version: %{git_date}
|
||||
Release: 3.git%{git_commit_hash}%{?dist}
|
||||
Release: 1.git%{git_commit_hash}%{?dist}
|
||||
Summary: System-wide crypto policies
|
||||
|
||||
License: LGPLv2+
|
||||
|
|
@ -26,15 +26,17 @@ BuildRequires: perl-generators
|
|||
BuildRequires: perl(File::pushd), perl(File::Temp), perl(File::Copy)
|
||||
BuildRequires: perl(File::Which)
|
||||
BuildRequires: python3-devel >= 3.6
|
||||
BuildRequires: python3-pytest
|
||||
# BuildRequires: python3-pylint # CentOS 9 Stream doesn't have it
|
||||
# BuildRequires: python3-flake8 # CentOS 9 Stream doesn't have it
|
||||
BuildRequires: python3-coverage
|
||||
BuildRequires: make
|
||||
|
||||
Conflicts: openssl < 1.1.1h
|
||||
Conflicts: nss < 3.44.0
|
||||
Conflicts: libreswan < 3.28
|
||||
Conflicts: openssh < 8.2p1
|
||||
Conflicts: gnutls < 3.6.11
|
||||
|
||||
# Most users want this, the split is mostly for Fedora CoreOS
|
||||
Recommends: crypto-policies-scripts
|
||||
Conflicts: openssh < 8.5p1
|
||||
Conflicts: gnutls < 3.7.2-3
|
||||
|
||||
%description
|
||||
This package provides pre-built configuration files with
|
||||
|
|
@ -44,10 +46,7 @@ such as SSL/TLS libraries.
|
|||
%package scripts
|
||||
Summary: Tool to switch between crypto policies
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Recommends: grubby
|
||||
|
||||
# fips-mode-setup merged into the scripts subpackage
|
||||
Obsoletes: fips-mode-setup < 20200702-1.c40cede
|
||||
Recommends: (grubby if kernel)
|
||||
Provides: fips-mode-setup = %{version}-%{release}
|
||||
|
||||
%description scripts
|
||||
|
|
@ -61,8 +60,10 @@ to enable or disable the system FIPS mode.
|
|||
|
||||
%prep
|
||||
%setup -q -n fedora-crypto-policies-%{git_commit_hash}-%{git_commit}
|
||||
%autopatch -p1
|
||||
|
||||
%build
|
||||
export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot
|
||||
%make_build
|
||||
|
||||
%install
|
||||
|
|
@ -80,8 +81,8 @@ install -p -m 644 default-config %{buildroot}%{_sysconfdir}/crypto-policies/conf
|
|||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/current
|
||||
touch %{buildroot}%{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
||||
|
||||
# Drop pre-generated GOST-ONLY policy, we do not need to ship the files
|
||||
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/GOST-ONLY
|
||||
# Drop pre-generated EMPTY policy, we do not need to ship it
|
||||
rm -rf %{buildroot}%{_datarootdir}/crypto-policies/EMPTY
|
||||
|
||||
# Create back-end configs for mounting with read-only /etc/
|
||||
for d in LEGACY DEFAULT FUTURE FIPS ; do
|
||||
|
|
@ -98,7 +99,10 @@ done
|
|||
%py_byte_compile %{__python3} %{buildroot}%{_datadir}/crypto-policies/python
|
||||
|
||||
%check
|
||||
make check %{?_smp_mflags}
|
||||
export OLD_GNUTLS=1 # FIXME: remove once gnutls-3.7.2-3 is in buildroot
|
||||
sed -i 's|test: \(.*\) runflake8|test: \1|' Makefile # CentOS 9 Stream has no flake8
|
||||
sed -i 's|test: \(.*\) runpylint|test: \1|' Makefile # CentOS 9 Stream has no pylint
|
||||
make ON_RHEL9=1 test %{?_smp_mflags}
|
||||
|
||||
%post -p <lua>
|
||||
if not posix.access("%{_sysconfdir}/crypto-policies/config") then
|
||||
|
|
@ -147,17 +151,20 @@ end
|
|||
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/config
|
||||
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/java.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
||||
%ghost %config(missingok,noreplace) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/gnutls.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssl.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensslcnf.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/openssh.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/opensshserver.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/nss.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/bind.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/java.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/javasystem.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/krb5.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libreswan.config
|
||||
%ghost %config(missingok,noreplace) %verify(not mode) %{_sysconfdir}/crypto-policies/back-ends/libssh.config
|
||||
# %verify(not mode) comes from the fact
|
||||
# these turn into symlinks and back to regular files at will, see bz1898986
|
||||
|
||||
%ghost %{_sysconfdir}/crypto-policies/state/current
|
||||
%ghost %{_sysconfdir}/crypto-policies/state/CURRENT.pol
|
||||
|
|
@ -167,7 +174,6 @@ end
|
|||
%{_datarootdir}/crypto-policies/DEFAULT
|
||||
%{_datarootdir}/crypto-policies/FUTURE
|
||||
%{_datarootdir}/crypto-policies/FIPS
|
||||
%{_datarootdir}/crypto-policies/EMPTY
|
||||
%{_datarootdir}/crypto-policies/back-ends
|
||||
%{_datarootdir}/crypto-policies/default-config
|
||||
%{_datarootdir}/crypto-policies/reload-cmds.sh
|
||||
|
|
@ -186,6 +192,28 @@ end
|
|||
%{_mandir}/man8/fips-finish-install.8*
|
||||
|
||||
%changelog
|
||||
* Mon Jun 28 2021 Alexander Sosedkin <asosedkin@redhat.com> - 20210628-1.gitdd7d273
|
||||
- implement scoped policies, e.g., cipher@SSH = ...
|
||||
- implement algorithm globbing, e.g., cipher@SSH = -*-CBC
|
||||
- deprecate derived properties:
|
||||
tls_cipher, ssh_cipher, ssh_group, ike_protocol, sha1_in_dnssec
|
||||
- deprecate unscoped form of protocol property
|
||||
- openssl: set MinProtocol / MaxProtocol separately for TLS and DTLS
|
||||
- openssh: use PubkeyAcceptedAlgorithms instead of PubkeyAcceptedKeyTypes
|
||||
- libssh: respect ssh_certs
|
||||
- restrict FIPS:OSPP further
|
||||
- improve Python 3.10 compatibility
|
||||
- update documentation
|
||||
- expand upstream test coverage
|
||||
- FUTURE: disable CBC ciphers for all backends but krb5
|
||||
- openssl: LEGACY must have SECLEVEL=1, enabling SHA1
|
||||
- disable DHE-DSS in LEGACY
|
||||
- bump LEGACY key size requirements from 1023 to 1024
|
||||
- add javasystem backend
|
||||
- *ssh: condition ecdh-sha2-nistp384 on SECP384R1
|
||||
- set %verify(not mode) for backend sometimes-symlinks-sometimes-not
|
||||
- gnutls: use allowlisting
|
||||
|
||||
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 20210218-3.git2246c55
|
||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||
Related: rhbz#1971065
|
||||
|
|
|
|||
2
sources
2
sources
|
|
@ -1 +1 @@
|
|||
SHA512 (crypto-policies-git2246c55.tar.gz) = 3b681d2d0b550a127de9ae706b6280710d144845d0ea5a78ebbb327adc6c6644dcc2016cbda2f68ed670a3c5395c494b9fbc4c2ca97832a1237ec618c2943b4e
|
||||
SHA512 (crypto-policies-gitdd7d273.tar.gz) = 9797e6c6b95ab4cb13e30016ac76b3bbdc5e23b42848ea11e81e91d433f62a5f1c3c6992f83760e69a5c3529e13d18b2f843e097e5be1afeb2b31dc1b39e94c0
|
||||
|
|
|
|||
Loading…
Reference in New Issue